CVE-2024-1047

MEDIUM

ThemeIsle SDK - Unauthenticated Data Modification via register_reference() Missing Capability Check

Title source: llm
STIX 2.1

Description

Multiple plugins and/or themes for WordPress with the ThemeIsle SDK are vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in various versions. This makes it possible for unauthenticated attackers to update options values that allow ThemeIsle to track promotional activities via utm_source.

Scores

CVSS v3 5.3
EPSS 0.0056
EPSS Percentile 42.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (13)
optimole/Optimole – Optimize Images in Real Time < 3.12.4
optimole/Super Page Cache < 4.7.5
rsocial/Revive Social – Social Media Auto Post and Scheduling Automation Plugin < 9.0.25
themeisle/LightStart – Maintenance Mode, Coming Soon and Landing Page Builder < 2.6.9
themeisle/Menu Icons by ThemeIsle < 0.13.8
themeisle/Multiple Page Generator Plugin – MPG < 3.4.0
themeisle/Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More < 2.10.28
themeisle/orbit_fox < 2.10.28
themeisle/Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE < 2.6.2
themeisle/PPOM – Product Addons & Custom Fields for WooCommerce < 32.0.9
... and 3 more
Published Feb 02, 2024
Tracked Since Feb 18, 2026